https://arstechnica.com/security/2016/0 ... ew-attack/
NoScript, Firebug, and other popular Firefox add-on extensions are opening millions of end users to a new type of attack that can surreptitiously execute malicious code and steal sensitive data, a team of researchers reported.
The answer to that threat from Mozilla :
Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative—our project to introduce multi-process architecture to Firefox later this year—we will start to sandbox Firefox extensions so that they cannot share code.
NoScript is among popular addons that could be vulnerable to attack, but which is also one of the best addons, security-wise.
Here is a review of NoScript addon for Firefox :
https://www.revolvy.com/main/index.php? ... pic&nojs=1
Firefox addons sandboxing
Re: Firefox addons sandboxing
labbe5 wrote:https://arstechnica.com/security/2016/0 ... ew-attack/
NoScript, Firebug, and other popular Firefox add-on extensions are opening millions of end users to a new type of attack that can surreptitiously execute malicious code and steal sensitive data, a team of researchers reported.
NoScript is among popular addons that could be vulnerable to attack, but which is also one of the best addons, security-wise.
Here is a review of NoScript addon for Firefox :
https://www.revolvy.com/main/index.php? ... pic&nojs=1
Ok, I apologize for this following rant in advice. That said, here goes:
I have been saying this for years (as Belham and Belham2) on murga (and elsewhere on the Net), about browser security add-ons in general-----especially about "NoScript". As usual on here, I got belittled, batted & smacked down by the ostrich-minded NoScript believers who blindly believed that nothing could be wrong with their believed use of their perceptions. They blindly (and still do) believe they are "more" protected with browser-add-ons.
I will say it again---ABSOLUTELY TRUST NO BROWSER ADD-ON IN ANY BROWSER, WHATSOEVER---when it comes to doing your online sensitive data & sensitive financial transactions. And furthermore, ABSOLUTELY use a browser that allows you to deeply config the settings of that browser (bang on Firefox all you want, but there's a reason it is considered the best browser that can be "hardened").
There's been a few of us lone voices on murga here (8GEEE being another) trying to get users to wake up about "add-ons" and about "configuring/hardening" your browser. Honestly, if you blindly used add-ons, whatever they are, from blockers to things like NoScript, and if you someday get pawnd, data and/or financially-otherwise, and it is/was a result of "add-ons, you've got no one to blame but yourself.
Take this to heart: for general web browsing, sure, those full-of-holes browser add-ons are fine (and sometimes needed for general browsing reasons given the WildWest mentality of javascript on many web sites). But for the stuff that is mucho important, like sensitive data & especially fin'l info, stay the he!! away from them completely. Furthermore, modify (which means "HARDEN"), Firefox's settings to what many of us have posted repeatedly in this forum (and is also posted on other forums like Wilder's Security and Redditt). You can make Firefox stripped down and damn secure, and there's no reason not to have this version profile on your pristine system OS, an OS btw that is used solely to access sensitive stuff on the web and not used for anything else. Doing this, Firefox pretty much becomes the common-mans version of a hardened Tor-like browser that instead of focusing on secrecy, it focus on being impenetrable via being tightly wound & having no loose ends (read; 3rd party add-ons) to come in through.
NoScript developers (and other add-on developers), if any of you are reading this, you've known this (the holes your programs open up in browsers) for years now...we've repeatedly pointed them out to you and you chose to ignore them. Why? is it because of the ongoing chase of advert dollars through the obfuscation of what your product actually does in any browser? Damn, just disgusting....all add-ons have a motive, friends, they're not doing stuff just for free and for the betterment of humankind on the Net. Even EFF struggles with this, trying to gather data from browsers that, even when users opt-out-of not wanting to provide, still gets tracked/logged and thus opens up too many holes in the browser.
Yes here we go again indeed.
I will stick with NoScript.
Why?! Well, because, first of all, it makes browsing the web a bearable experience.
And secondly, as the article clearly points out, those vonurabilities everyone goes on about, can only be exploited when end users download and install a malicious add-on in their browser.
My only add-on is NoScript.
So I'm fine.
I will stick with NoScript.
Why?! Well, because, first of all, it makes browsing the web a bearable experience.
And secondly, as the article clearly points out, those vonurabilities everyone goes on about, can only be exploited when end users download and install a malicious add-on in their browser.
My only add-on is NoScript.
So I'm fine.
Belham, sorry if this comes across as a bit rude, but instead of banging on about it, why not provide a hardened firefox with the about:configs done. Then we could try it out and see if it blocks crappy ads etc.
I mean OscarTalks for instance just gets on with it and delivers Tor Browsers amongs others, and,.. most importantly, provides all the tech info, caveats, tweak suggestions, for those who wondered what the heck Tor was. It has No Script in it, but one can't seem to just allow scripts individually, it is either all or nowt.
Remember, MikeB is probably still whizzing along on Firefox 3 on his sailboat somewhere in the world and he never had as much as a sniff of a malicious puff.
Only the most geeky could put up with Links browser, and No Script does make the net bearable, as souleau mentions above.
Oi, Labbe 5, we used to have a postfs on Puppy who just posted things without comments who was purported to be a bot.
But I think we managed to get the bot to talk lol,
what's your take on it? What do you use?
I mean OscarTalks for instance just gets on with it and delivers Tor Browsers amongs others, and,.. most importantly, provides all the tech info, caveats, tweak suggestions, for those who wondered what the heck Tor was. It has No Script in it, but one can't seem to just allow scripts individually, it is either all or nowt.
Remember, MikeB is probably still whizzing along on Firefox 3 on his sailboat somewhere in the world and he never had as much as a sniff of a malicious puff.
Only the most geeky could put up with Links browser, and No Script does make the net bearable, as souleau mentions above.
Oi, Labbe 5, we used to have a postfs on Puppy who just posted things without comments who was purported to be a bot.
But I think we managed to get the bot to talk lol,
what's your take on it? What do you use?
firejail
I will repeat myself here, but with Firejail, you can go a long way security-wise using Firefox.
First of all, when used as it is intended to be, there are no addons, so belham2 has a point here, it is better not having any addons when you deal with sensitive data
How to have a pristine copy of Firefox without addons using Firejail :
add -no-remote, such as in this example :
firejail --private --dns=84.200.69.80 --dns=84.200.70.40 --caps.drop=all firefox -no-remote
dns resolvers are from DNS.Watch for privacy.
I don't even use Ublock, or NoScript, because i have confidence Firejail is acting behind the scene to keep me secure on the Web with profiles (each new version of Firejail adds new profiles for more apps).
But i always use VPNbook with Firejail, for an extra layer of security.
I hope i don't look like a bot anymore answering your question.
First of all, when used as it is intended to be, there are no addons, so belham2 has a point here, it is better not having any addons when you deal with sensitive data
How to have a pristine copy of Firefox without addons using Firejail :
add -no-remote, such as in this example :
firejail --private --dns=84.200.69.80 --dns=84.200.70.40 --caps.drop=all firefox -no-remote
dns resolvers are from DNS.Watch for privacy.
I don't even use Ublock, or NoScript, because i have confidence Firejail is acting behind the scene to keep me secure on the Web with profiles (each new version of Firejail adds new profiles for more apps).
But i always use VPNbook with Firejail, for an extra layer of security.
I hope i don't look like a bot anymore answering your question.
Thanks for the reply Labbe 5, no you certainly don't look like a bot anymore.
Never even heard of the firejail till now, very interesting. You run an extremely tight setup. I get where Belham is coming from as regards protecting user space.
Sylvander, you might be best to drop in a fresh pristine firefox if you wanted to be rid of addons, I think they manifest themselves in the profile and other places. Not so sure that remove does always remove..
Never even heard of the firejail till now, very interesting. You run an extremely tight setup. I get where Belham is coming from as regards protecting user space.
Sylvander, you might be best to drop in a fresh pristine firefox if you wanted to be rid of addons, I think they manifest themselves in the profile and other places. Not so sure that remove does always remove..
- Attachments
-
- 1.png
- (26.52 KiB) Downloaded 394 times
I mostly run Debian as my primary boot, Puppy is more of a admin boot choice for me. I run a restricted userid as my main (auto login) session, so even
cd ..
typed into a terminal results in
rbash: cd: restricted
In that session firefox has noscript installed, purely to prevent annoying pops/ads. I find that a good /etc/host file content is as good as ublock (making ublock unnecessary) and I believe most/all pups include creating such a host file content under Menu, Internet (usually the last choice in that menu layer is something like Puppy Adblock or something like that).
Much like a sandbox. Running (as root) lsof -i and the only internet traffic that shows as root is dhclient (I have very few ports/services open anyway).
For other stuff I just Ctrl-Alt-Fn swap to another terminal session and login either as root (if doing command line level admin tasks) or as user into a gui session .. which is a more normal userid with su ability etc. ... but where I don't access the internet using that userid ... excepting for loading up a pristine browser with no addons for online banking purposes (direct to the banks web site, nowhere else before or after, and then delete the ~/.cache/mozilla and ~/.mozilla folders afterwards).
After trying out the browser in Tahr being set to run as spot ... found that its ok'ish, but not there yet (if you upgrade the browser for instance it falls back to running as root again). Firejail is pretty good and I liked it when I used it for a while, but with my setup I don't really have a need for it.
cd ..
typed into a terminal results in
rbash: cd: restricted
In that session firefox has noscript installed, purely to prevent annoying pops/ads. I find that a good /etc/host file content is as good as ublock (making ublock unnecessary) and I believe most/all pups include creating such a host file content under Menu, Internet (usually the last choice in that menu layer is something like Puppy Adblock or something like that).
Much like a sandbox. Running (as root) lsof -i and the only internet traffic that shows as root is dhclient (I have very few ports/services open anyway).
For other stuff I just Ctrl-Alt-Fn swap to another terminal session and login either as root (if doing command line level admin tasks) or as user into a gui session .. which is a more normal userid with su ability etc. ... but where I don't access the internet using that userid ... excepting for loading up a pristine browser with no addons for online banking purposes (direct to the banks web site, nowhere else before or after, and then delete the ~/.cache/mozilla and ~/.mozilla folders afterwards).
After trying out the browser in Tahr being set to run as spot ... found that its ok'ish, but not there yet (if you upgrade the browser for instance it falls back to running as root again). Firejail is pretty good and I liked it when I used it for a while, but with my setup I don't really have a need for it.
Thanks for the reply, BUT...Smithy wrote:Sylvander, you might be best to drop in a fresh pristine firefox...
Is that what they call a "Metaphor"?
How do I "drop in" something I cannot hold in my hand?
Would I be correct in guessing that I need to:
Uninstall the existing Firefox? [No Firefox listed in the PPM]
OR...
Delete all of the files for Firefox?
Then install some new improved Firefox?
I'm running Slacko-5.7.0-PAE, and have:
Firefox 54.0.1
Palemoon 24.7.1
Vivaldi 1.4.589.41
slimjet-15.0.3.0-i686.sfs wouldn't run on this old OS.
So...
And because Firefox will not update to the latest on this old Slacko...
I tried to make a "live" CD-RW of Slacko-6.3.2, but...
Pburn wouldn't burn the iso image to my chosen [used/functional] CD-RW
[never normally see this problem happen].I have 6 other Puppies on CD-RW that are all older than Slacko-5.7.0 [the various pupsave files are all in various suitably-named folders in a partition on the internal HDD], and...
A number of Puppies [newer than Slacko-5.7.0] on Flash Drives, but my preferred OS is Slacko, so I'm attempting to update it.
Well bloated firefox isn't an improvement in my opinion, it all started to go a bit crappy a good while ago..but...
If they haven't changed things, then firefox has these places in puppy:
root .cache
root .mozilla
usr/lib mozilla (where the plugins live)
usr/lib firefox.
Those are the folders to delete.
Then run (or drop in) the firefox you want, set it up how you want and remaster or
save file it.
Hope this helps with whatever you are trying to achieve.
If they haven't changed things, then firefox has these places in puppy:
root .cache
root .mozilla
usr/lib mozilla (where the plugins live)
usr/lib firefox.
Those are the folders to delete.
Then run (or drop in) the firefox you want, set it up how you want and remaster or
save file it.
Hope this helps with whatever you are trying to achieve.
-
OscarTalks
- Posts: 2196
- Joined: Mon 06 Feb 2012, 00:58
- Location: London, England
Hello Sylvander,Sylvander wrote:Why doesn't Slacko-5.7.0 have "burniso2cd" installed I wonder?
Slacko 5.7.0 does have burniso2cd but the menu entry has been disabled for some reason.
You can still call burniso2cd from terminal.
The burniso2cd .desktop file in /usr/share/applications has the line "NoDisplay=true"
To restore the menu entry, change this to "NoDisplay=false" or delete the line.
Then run fixmenus followed by jwm -reload
Oscar in England
-
bark_bark_bark
- Posts: 1885
- Joined: Tue 05 Jun 2012, 12:17
- Location: Wisconsin USA
Ditto. And my firefox runs in a restricted shell user account with file/folder permissions also wrapped around that. Annoying at first that you can't even cd, but you soon get used to Ctrl-Alt-Fn into a more priviledged userid/session.souleau wrote:Yes here we go again indeed.
I will stick with NoScript.
Why?! Well, because, first of all, it makes browsing the web a bearable experience.
"...it makes browsing the web a bearable experience."
+2. Browsing without such addons these days is damn near impossible, it seems. Senseless and maddening out-of-control, page-imbedded adware that brings my hardware to it's knees!!
Me, I can't find the need to worry much about these kind of FUD reports - the level of risk is "proof in the pudding" as they say, and I know of no one - personally or otherwise - that has been pwnd by such "discovered" vulnerabilities. As far as I have been able to suss, any OS and it's application's code is literally filled with innumerable potential vulnerabilities - it's the nature of complex code. The real issue is if these vulnerabilities are actually being exploited in the wild, in the real world, and which ones they are, in particular.
But what I see is generally nada.
An example is the latest Chromium release - they've reported 40 vulnerabilities fixed since the last release, just 7 weeks earlier. How many of us have actually been effected by those 40?? Or ran across someone who has (without specifically searching for examples, BTW...)?? And how many (dozens? hundreds? thousands?) still exist... or are being added as development continues?
Meh.
And of course Mozilla/Firefox jumps right in touting these examples as powerful reasons to support it's (terrible!) decision to dump it's old addon API/support - for which it's user and dev community is up in arms about. How lame!
When the truth is, it's pretty damn rare, and not really much of an issue at all, as far as what I've observed. Again, just FUD - IMHO.
Bob
+2. Browsing without such addons these days is damn near impossible, it seems. Senseless and maddening out-of-control, page-imbedded adware that brings my hardware to it's knees!!
Me, I can't find the need to worry much about these kind of FUD reports - the level of risk is "proof in the pudding" as they say, and I know of no one - personally or otherwise - that has been pwnd by such "discovered" vulnerabilities. As far as I have been able to suss, any OS and it's application's code is literally filled with innumerable potential vulnerabilities - it's the nature of complex code. The real issue is if these vulnerabilities are actually being exploited in the wild, in the real world, and which ones they are, in particular.
But what I see is generally nada.
An example is the latest Chromium release - they've reported 40 vulnerabilities fixed since the last release, just 7 weeks earlier. How many of us have actually been effected by those 40?? Or ran across someone who has (without specifically searching for examples, BTW...)?? And how many (dozens? hundreds? thousands?) still exist... or are being added as development continues?
Meh.
And of course Mozilla/Firefox jumps right in touting these examples as powerful reasons to support it's (terrible!) decision to dump it's old addon API/support - for which it's user and dev community is up in arms about. How lame!
When the truth is, it's pretty damn rare, and not really much of an issue at all, as far as what I've observed. Again, just FUD - IMHO.Bob
The ostrich syndrome is strong and powerful here, especially the over-prevalent belief that NIMBY exists.
In the past 15 years, over 42 million bank account fin'l information has been misapproriated around the world (various estimates, despite banks worldwide still trying to quite this stuff, is in the neighborhood of nearly $20 billion (not million or hundreds of millions) but 20 effing billion lost over the past years since this fin'l attacks stuff started in earnest. In the U.S. alone, the latest figures out of banking circles is the number has crested 13 million in total.
3 of the top 4 banking viruses (Zbot a.k.a Zeus, Carberp, Spyeye & the bastard Citadel) of the past several years all, as one of their infection routes, came in through the browser. If you don't think that crooks aren't looking at the numerous holes in the worldwide browser add-on ecosystem, and how the blind, ostrich-like trust that browser users put into these add-ons, them whatever happens almost becomes deserved to that user given the level of knowledge about what is actually happening in the wild. "I didn't know...." is no longer going to be tolerated, nor should it.
In fact, I personally know both Citicorp and JPMorgan are entertaining ideas that if a person's fin'l info gets pwned through the browser, and they upon inverstigation definitely determine it was the browser as the vector, and Citi/JPM find that the browser used is/was loaded with 3rd party add-ons, they are going to fight that person/customer in court in terms of liability. It already happened to a small business person (a woman) in Michigan. She lost over $5 million.
Please do yourself a favor, allow yourself to feel just a little hesitation and/or alarm and do the necessary legwor (research) to find out what is going on.
Something seems lost in these overall comments, because there is no disagreement that for general browsing these add-ons are sometimes a must because of the wild-west mentality of javascript on many websites. But when it comes to sensitive info of any kind on your part, for you, your family, on the worldwide web, stay as far away from browser add-ons and furthermore, when accessing sensitive info stay away the general OS system you cruise the web with when using these add-ons (and whatever else you do). Just go pristine, always, and whatever you do.
In other words, increase your "digital entropy" (hopefully, it is understood what this means).
In the past 15 years, over 42 million bank account fin'l information has been misapproriated around the world (various estimates, despite banks worldwide still trying to quite this stuff, is in the neighborhood of nearly $20 billion (not million or hundreds of millions) but 20 effing billion lost over the past years since this fin'l attacks stuff started in earnest. In the U.S. alone, the latest figures out of banking circles is the number has crested 13 million in total.
3 of the top 4 banking viruses (Zbot a.k.a Zeus, Carberp, Spyeye & the bastard Citadel) of the past several years all, as one of their infection routes, came in through the browser. If you don't think that crooks aren't looking at the numerous holes in the worldwide browser add-on ecosystem, and how the blind, ostrich-like trust that browser users put into these add-ons, them whatever happens almost becomes deserved to that user given the level of knowledge about what is actually happening in the wild. "I didn't know...." is no longer going to be tolerated, nor should it.
In fact, I personally know both Citicorp and JPMorgan are entertaining ideas that if a person's fin'l info gets pwned through the browser, and they upon inverstigation definitely determine it was the browser as the vector, and Citi/JPM find that the browser used is/was loaded with 3rd party add-ons, they are going to fight that person/customer in court in terms of liability. It already happened to a small business person (a woman) in Michigan. She lost over $5 million.
Please do yourself a favor, allow yourself to feel just a little hesitation and/or alarm and do the necessary legwor (research) to find out what is going on.
Something seems lost in these overall comments, because there is no disagreement that for general browsing these add-ons are sometimes a must because of the wild-west mentality of javascript on many websites. But when it comes to sensitive info of any kind on your part, for you, your family, on the worldwide web, stay as far away from browser add-ons and furthermore, when accessing sensitive info stay away the general OS system you cruise the web with when using these add-ons (and whatever else you do). Just go pristine, always, and whatever you do.
In other words, increase your "digital entropy" (hopefully, it is understood what this means).
I'm plenty well aware that this stuff is going on, Belham2... no question, there. It's downright frightening if you focus on it (belham2 wrote:Please do yourself a favor, allow yourself to feel just a little hesitation and/or alarm and do the necessary legwor (research) to find out what is going on.
!!!). But in the bigger picture of that knowledge, mixed with my own, long personal observations of it actually happening - actually affecting the lives of those many dozens (hundreds?) of good friends/family around me (the vast majority whom have little-to-no technical knowledge when it comes to computing - and I do tend to rib 'em about it... 
)... it just simply doesn't happen to any substantially disruptive frequency or degree. Sure - a couple of Yahoo! email accounts hacked, a false credit card charge on rare occasion... that's about it, all I've ever experienced first-hand amongst these folks.The businesses involved understand this about the "average users", and knows that the responsibility of securing their services cannot reliably rest on the backs of their end-users - thus the existence of a substantial security industry. To a major degree, it's their job... literally.
It's one of those risk vs. rewards things, is all I'm saying. Much like crime, terrorism, accidents while driving, tornadoes and earthquakes - you apply a modicum of knowledge-backed diligence in taking reasonable precautions, and otherwise just get on with things without worrying about it too much.
Life itself is riddled with countless risks - it'd quickly get downright un-fun and not worth it if one were to even begin an attempt at rigorously addressing 'em all (and given the natural complexity of computers... that's a whole bunch, all by itself!). That's all this ostrich means to say...
BTW, both Firefox and Palemoon have the feature to open an instance of the browser with all extensions disabled (under the "Help" menu)... this particular vulnerability thusly being a complete non-issue.
All IMHO, of course.
Bob
Never noticed that.Moat wrote:BTW, both Firefox and Palemoon have the feature to open an instance of the browser with all extensions disabled (under the "Help" menu)... this particular vulnerability thusly being a complete non-issue
I do like noscript, but only install any extensions in a browser running under a restricted userid (rbash, no su or sudo, contained by folder permissions ...etc) i.e. in effect sandboxed. I would have thought that installing a extension especially within a root account compromises the system, little different to running any other dubious program/thing. For online banking I do use a higher privileged userid and a clean version of the browser with nothing else added in. I like pure Debian (main repositories only) for that type of reason (other than via Debian, only other way in is via the browser or open ports ... and I have nearly all ports turned off (or running under low privileges), along with multiple layers of firewalls (PC, router, cable modem)).
I suspect a lot of bank frauding goes on and likely banks will increasingly look to potentially side-step claims/compensations rather than simply paying up, perhaps by citing insecure or inappropriate (outdated system/browser) usage by the claimants.